Skip to content

Access Controller

The Access Controller (alternatively Provider in the context of Ocean Protocol) is a REST API designed for the provision of services. It performs a series of checks to verify the buyer's permission to access the service. The access controller acts as an intermediary between the data source and the user, thus preventing the need for the user to have direct access to the data.

Security considerations

To achieve maximum security and data sovereignty it's recommended to seld-host an Access Controller component or use a trusted service provider. Leveraging the compute-to-data paradigm the data stays under the control of the owner and never leaves the secure infrastructure. Algorithms running on the data will be audited and explicitly allowed to run on the data to prevent data leakage.

Functionalities

Access Control

The Access Controller performs a series of checks to verify the buyer's permission to access the service:

  1. Checking the lifecycle state of the asset to confir its availability
  2. Checking if the buyer has purchased and spent the access token (also calles "datatoken" in the Ocean Protocol docs) to gain access to the data.
  3. Checking the access control conditions to the service, using the allow/deny lists of the service

Algorithm integrity checks

When utilising the compute-to-data functionality, the Access Controller conducts integrity checks utilising hashes of the algorithm and the Docker container prior to computation. This process is designed to prevent the execution of potential malicious unaudited algorithms.

Catalogue metadata encryption/decryption

The publisher uses a trusted Access Controller`s api encryption endpoint to encrypt their service metadata prior to publishing (anchoring the service offering on the blockchain).

Any trusted metadata cache component (Aquarius) can call the decryption api endpoint of the Access Controller to decrypt the metadata fetched from the blockchain. This ensures that only selected Aquarius instances have access to the service offering metadata.

This feature enables private service catalogues.

Files endpoint encryption/decryption

The files field in the metadata is encrypted independently from the rest. It includes the endpoint details to access the data or the algorithm files. It's encryped one step before encrypting the complete metadata object (also known as DDO in the Ocean Protocol context) and decrypted by the Access Controller upon consumption of the service. This means that endpoint details never leave the Access Controller's trusted domain in an unencrypted way.

Compute Services

The Access Controller provides hardware details (CPU, RAM, GPU), pricing and availability information of connected compute environments.

Further documentation and repositories

Ocean Protocol Docs: https://docs.oceanprotocol.com/developers/provider

Provider Repository: https://github.com/OceanProtocolEnterprise/provider

APIs

Genral endpoints: https://docs.oceanprotocol.com/developers/provider/general-endpoints

Encryption/Decryption: https://docs.oceanprotocol.com/developers/provider/encryption-decryption

Compute Endpoints: https://docs.oceanprotocol.com/developers/provider/compute-endpoints

Authentication Endpoints: https://docs.oceanprotocol.com/developers/provider/authentication-endpoints